User Name "not set" with external LDAP authentication
Hi, Just wondering if I got my setup right, I have Galaxy front-ended by Apache doing the static caching, proxying and LDAP auth. What's nice is that user's don't have to be created by an admin if the user authenticates and authorizes properly against the LDAP config then Galaxy will automatically create the user locally. My question is that it shows that the User Name is "not set" for such users, is this the way its supposed to be or can I modify my LDAP config in such a way that it does set a User Name? regards, Leandro
Hi Leandro, On Apr 27, 2011, at 3:50 PM, Leandro Hermida wrote:
Hi,
Just wondering if I got my setup right, I have Galaxy front-ended by Apache doing the static caching, proxying and LDAP auth. What's nice is that user's don't have to be created by an admin if the user authenticates and authorizes properly against the LDAP config then Galaxy will automatically create the user locally.
My question is that it shows that the User Name is "not set" for such users, is this the way its supposed to be
No
or can I modify my LDAP config in such a way that it does set a User Name?
Yes, you can. I have a similar setup: # # For short logins. (Requires rewriting AuthLDAPBindDN to long form.) # AuthLDAPURL "ldap://ldap.uu.nl/ou=medewerkers,o=uu?uuShortID,uuMail" AuthLDAPBindDN "uid=${REMOTE_USER}@soliscom.uu.nl,ou=medewerkers,o=uu" # # Pass the user's e-mail address on to Galaxy as "login" # RewriteEngine On RequestHeader set REMOTE_USER %{AUTHENTICATE_UUMAIL}e Note that the uuMail attribute requested via the AuthLDAPURL somehow gets expanded into an AUTHENTICATE_UUMAIL environment variable, which can then be used to rewrite "REMOTE_USER". You should be able to get something similar, but the exact syntax will depend on the attributes defined in your LDAP. Note that the example above allows my users to login with the part of their account before the @. Since the domain part after the @ is the same for all of them (soliscom.uu.nl), this saves them some typing when logging in :). Their e-mail addresses may be different though, so I rewrite the REMOTE_USER to display their e-mail address as Galaxy "account" in the web interface. Cheers, Pi
regards, Leandro
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
------------------------------------------------------------- mobile: +31 6 143 66 783 e-mail: pieter.neerincx@gmail.com skype: pieter.online -------------------------------------------------------------
Hi Pieter, On Wed, Apr 27, 2011 at 4:14 PM, Pieter Neerincx <pieter.neerincx@gmail.com>wrote:
Hi Leandro,
On Apr 27, 2011, at 3:50 PM, Leandro Hermida wrote:
Hi,
Just wondering if I got my setup right, I have Galaxy front-ended by Apache doing the static caching, proxying and LDAP auth. What's nice is that user's don't have to be created by an admin if the user authenticates and authorizes properly against the LDAP config then Galaxy will automatically create the user locally.
My question is that it shows that the User Name is "not set" for such users, is this the way its supposed to be
No
or can I modify my LDAP config in such a way that it does set a User Name?
Yes, you can. I have a similar setup:
# # For short logins. (Requires rewriting AuthLDAPBindDN to long form.) # AuthLDAPURL "ldap:// ldap.uu.nl/ou=medewerkers,o=uu?uuShortID,uuMail" AuthLDAPBindDN "uid=${REMOTE_USER}@soliscom.uu.nl ,ou=medewerkers,o=uu" # # Pass the user's e-mail address on to Galaxy as "login" # RewriteEngine On RequestHeader set REMOTE_USER %{AUTHENTICATE_UUMAIL}e
Note that the uuMail attribute requested via the AuthLDAPURL somehow gets expanded into an AUTHENTICATE_UUMAIL environment variable, which can then be used to rewrite "REMOTE_USER". You should be able to get something similar, but the exact syntax will depend on the attributes defined in your LDAP. Note that the example above allows my users to login with the part of their account before the @. Since the domain part after the @ is the same for all of them (soliscom.uu.nl), this saves them some typing when logging in :). Their e-mail addresses may be different though, so I rewrite the REMOTE_USER to display their e-mail address as Galaxy "account" in the web interface.
I have this *exact* same setup as you where I am authenticating with the LDAP user ID and returning a mail LDAP attribute as REMOTE_USER, but this sets the Galaxy user email address (which in Galaxy is the user ID) but is *doesn't* set any *User Name*, all my external users have User Name "not set". Are you sure your setup above sets the User Name to something? Check under Admin -> Manage Users, under the User Name column all my users that are external yes say "not set".
Cheers,
Pi
regards, Leandro
Hi Leandro, On Apr 27, 2011, at 6:08 PM, Leandro Hermida wrote:
Hi Pieter,
<cut>
I have this *exact* same setup as you where I am authenticating with the LDAP user ID and returning a mail LDAP attribute as REMOTE_USER, but this sets the Galaxy user email address (which in Galaxy is the user ID) but is *doesn't* set any *User Name*, all my external users have User Name "not set". Are you sure your setup above sets the User Name to something? Check under Admin -> Manage Users, under the User Name column all my users that are external yes say "not set".
Sorry for the confusion. Indeed it's the user ID alias e-mail address that is set correctly. The user name is "not set" and I don't know how to set it or if that is even possible with the current Galaxy.... Maybe some of the developers can enlighten us... Cheers, Pi
regards, Leandro
------------------------------------------------------------- mobile: +31 6 143 66 783 e-mail: pieter.neerincx@gmail.com skype: pieter.online -------------------------------------------------------------
Pieter Neerincx wrote:
Hi Leandro,
On Apr 27, 2011, at 6:08 PM, Leandro Hermida wrote:
Hi Pieter,
<cut>
I have this *exact* same setup as you where I am authenticating with the LDAP user ID and returning a mail LDAP attribute as REMOTE_USER, but this sets the Galaxy user email address (which in Galaxy is the user ID) but is *doesn't* set any *User Name*, all my external users have User Name "not set". Are you sure your setup above sets the User Name to something? Check under Admin -> Manage Users, under the User Name column all my users that are external yes say "not set".
Sorry for the confusion. Indeed it's the user ID alias e-mail address that is set correctly. The user name is "not set" and I don't know how to set it or if that is even possible with the current Galaxy.... Maybe some of the developers can enlighten us...
Correct, this feature was missing. As of changeset 5469:7c101a11d261 Galaxy will now set the username to the value preceeding the '@' in the email address, or append '-<integer>' if that username is taken. Users can modify their username from the 'User' menu in the masthead. --nate
Cheers,
Pi
regards, Leandro
------------------------------------------------------------- mobile: +31 6 143 66 783 e-mail: pieter.neerincx@gmail.com skype: pieter.online -------------------------------------------------------------
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
On Thu, Apr 28, 2011 at 5:33 PM, Nate Coraor <nate@bx.psu.edu> wrote:
Hi Leandro,
On Apr 27, 2011, at 6:08 PM, Leandro Hermida wrote:
Hi Pieter,
<cut>
I have this *exact* same setup as you where I am authenticating with
Pieter Neerincx wrote: the LDAP user ID and returning a mail LDAP attribute as REMOTE_USER, but this sets the Galaxy user email address (which in Galaxy is the user ID) but is *doesn't* set any *User Name*, all my external users have User Name "not set". Are you sure your setup above sets the User Name to something? Check under Admin -> Manage Users, under the User Name column all my users that are external yes say "not set".
Sorry for the confusion. Indeed it's the user ID alias e-mail address
that is set correctly. The user name is "not set" and I don't know how to set it or if that is even possible with the current Galaxy.... Maybe some of the developers can enlighten us...
Correct, this feature was missing. As of changeset 5469:7c101a11d261 Galaxy will now set the username to the value preceeding the '@' in the email address, or append '-<integer>' if that username is taken. Users can modify their username from the 'User' menu in the masthead.
--nate
Thanks Nate for the info. I would like to add though that this might not work for many organizations. Many places have for example: lhermida as username leandro.hermida@domain.org as the email address
Cheers,
Pi
regards, Leandro
------------------------------------------------------------- mobile: +31 6 143 66 783 e-mail: pieter.neerincx@gmail.com skype: pieter.online -------------------------------------------------------------
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
Leandro Hermida wrote:
Thanks Nate for the info. I would like to add though that this might not work for many organizations. Many places have for example:
lhermida as username leandro.hermida@domain.org as the email address
This is okay, the username does not need to match the email address. If it's desired to use the longer version, a user can always change it later. I committed a minor fix in 5483:4933de88cdb0 that will convert the username to lowercase and replace any invalid characters (anything other than lowercase letters, numbers, and the dash character) with a dash when the username is automatically created upon first access by a new user. --nate
participants (3)
-
Leandro Hermida -
Nate Coraor -
Pieter Neerincx